Setting Multiple Cookies in PHP

Question

Thanks for helping with this.

I have a script that checks logins and then sets some cookies. There are 4 cookies that are being set, (later I will probably move some to server session but for now I am using cookies.

The issue that I am having is that only the first 2 of the 4 are being set before the rest of the script is being executed. Can anyone see why?

// If there is a row, and only 1 row, then the details are correct. Set the cookie and re-direct
            $row = mysqli_fetch_array($data);

            setcookie('user_id', $row['User_ID'], time()+ (60*15),"/");
            setcookie('user_name',  $row['UserName'], time()+ (60*15),"/");
            setcookie('access_Level', $row['Access_Level'], time()+ (60*15),"/");
            setcookie('db_con', $row['Db_Con'], time()+ (60*15),"/");

            $home_url = $link . "application/views/Dashboard.php";
            header('Location: ' . $home_url);

Answer 1

Using:

<?php

$row = array(
    'User_ID' => '1',
    'UserName' => '1',
    'Access_Level' => '1',
    'Db_Con' => '1'
);

setcookie('user_id', $row['User_ID'], time()+ (60*15),"/");
setcookie('user_name',  $row['UserName'], time()+ (60*15),"/");
setcookie('access_Level', $row['Access_Level'], time()+ (60*15),"/");
setcookie('db_con', $row['Db_Con'], time()+ (60*15),"/");

// This will not be set, and the cookie is not created.
setcookie('db_con2', $row['Db_Con2'], time()+ (60*15),"/");

?>

http://jfcoder.com/test/setcookie.php

In Firefox, I check to see the cookies for a page by right-clicking on the page, View Page Info , Security tab, View Cookies button. All four cookies show up on that page in my browser. The last one does not (since it is has no value).

I'm thinking your column names are not spelled/capitalized correctly, or some other issue, and that $row['Access_Level'] and $row['Db_Con'] are empty columns in your result.

Answer 2

Firstly, the obvious question: Have you tried copying the variables you're saving to cookies, and pasting them into a print_r() statement, so you can prove that they have the values you expect. It's possible you made a typo or incorrect capitalisation, or something similar.

The next thing to check are the values in these variables. You haven't specified the possible values for Access_Level and Db_Con , but if they are set to false or blank, then the cookie will be cleared, rather than being set to that value. This is unlikely to be what you want.

If that's not the problem, another possible issue (though I doubt it in this case) is total length of your cookies. A site may only serve a maximum of 4K in its cookie string. If you're using UTF-8 encoding (which is recommended) this means only about a thousand characters, including all the field names and formatting of the cookie string, as well as the values. Cookies beyond that length will not be saved. It doesn't look like that's your problem here, but I guess it's possible you're serving other cookies as well as these four, which could be tipping the balance.

I would also strongly recommend not using cookies for the sorts of data you're using it for here.

It is important to know that cookies are a highly insecure means of storing data. They can be spied on by third parties, and are easily tampered with. If your site is relying on Access_Level to be accurate in subsequent page loads and is using it to decide whether or not to grant access to certain pages, then you have given your site a massive security hole.

Secondly, Cookies are inefficient. The entire cookie string is sent in both directions for every single request made to the server. This includes graphics and other files which aren't able to actually affect them. So if a page has a lot of images, stylesheets and javascript files that it loads, then you'll be sending all your cookies up and down the wire possibly dozens of times every time the user goes to a new page.

I recommend using PHP sessions instead. Granted they also use a cookie, but it doesn't contain any data that can easily be tampered with, and it is only a single cookie variable, so it minimises both these issues. It's also extremely easy to use.

Hope that helps.